Researchers at the Chinese IT firm Qihoo 360 Netlab write in a blog that this attack, which has been ongoing for about five months, has affected sites that sell a range of consumer goods, including high-end handbags, mountain bikes, baby products, wine and electronics.

This scheme involves a malicious domain name called magento-analytics[.]com, which Netlab researchers first noticed in October 2018 and have been tracking ever since. The attackers are apparently trying to disguise themselves by using a name that closely resembles Magento, a content systems management platform owned by Adobe and used by thousands of online retailers.

This is the second time in a week that security researchers have uncovered a skimmer attack targeting ecommerce websites. On May 3, Trend Micro described the activities of a new group called Mirrorthief, which targeted online campus stores in both the U.S. and Canada (see: JavaScript Sniffer Attacks: More Online Stores Targeted).

Many other attacks using skimmers, also called JavaScript sniffers, are closely associated with an umbrella group called Magecart, which has increased its activity over the last year (see: Magecart Nightmare Besets E-Commerce Websites).

While Netlab doesn't mention Magecart in its report, the new attack it describes bears all the hallmarks of the group, says Yonathan Klijnsma, a threat researcher at RiskIQ who has been tracking Magecart and skimmer attacks over the last several months.

"It is exactly the same," Klijnsma tells Information Security Media Group. "This isn't a new style of attack; it's just another skimmer. The skimmer used here comes from a kit you can buy to start your web-skimming empire. We've seen the same code on a lot of other websites but served from many different domains because of the skimmer's accessibility."

Payment Sites in the Crosshairs

Over the last 12 months, criminal gangs have used skimmers or JavaScript sniffers in a series of attacks to steal credit card numbers and then sell them on dark net sites.

One reason that skimmers and JavaScript sniffers are gaining in popularity is that they are inexpensive to buy or develop, are difficult to remove once installed on a target site, and can be tailored to different needs and specific attacks, according to Group-IB, which has published extensive research on these malicious tools (see: E-Commerce JavaScript Sniffer Attacks Proliferate: Report).

These tools work in much the same way as a credit card skimmer. But instead of physically attaching a device to an ATM, a JS sniffer uses a few lines of code injected onto an e-commerce site to skim data that consumers use to buy goods. The malware is available for purchase for $250 to $5,000 on underground forums, the Group-IB analysis found.

In this latest case, Netlab researchers were able to track how the malicious JavaScript works on sites that were infected. In most cases, these skimmers are designed to steal credit card data, including the customer's name, card number, expiration date and CVV information.

Skimmer stealing credit card data during checkout (Image: Netlab)

In an example that Netlab researchers show, the malicious JavaScript runs in the background until the customer goes to the "Payment Information" page. Once the CVV information for the credit card is inputted, the malicious code sends the stolen data to the attack group.

Malicious Domain

At the heart of this new attack is the magento-analytics[.]com domain that Netlab researchers have tracked for several months. Originally registered in Panama, the IP address has moved several times to such far-flung locations as Arizona, Moscow and Hong Kong, according to the research.

From a regular browser, the magento-analytics[.]com domain returns a 403 page, and a Google search doesn't produce any answers either. But Netlab researchers were able to track the domain and study it.

In their analysis, the researchers note that the domain name has been hosting JS scripts since the beginning of December 2018. Once the JavaScript is loaded onto a site, the script attempts to skim credit card and other data every 500 milliseconds. And once it collects that information, it sends it back the gang controlling the attack, the Netab researchers report.

The legitimate Magento platform is a frequent target of Magecart and other groups due to its popularity with online retailers, according to research published by RiskIQ and Group-IB. One of the skimmers that these groups use is called MagentoName because it is designed to take advantage of vulnerabilities in older versions of the Magento content management system.

"For the most part, these attacks are relatively easy to undertake with a low bar of entry in terms of criminal sophistication," Klijnsma of RiskIQ says. He urges online retailers to update and patch their content management platforms to avoid these types of attacks.

About the Author

Ferguson is the managing editor for the news desk at Information Security Media Group. He's been covering the IT industry for more than 13 years. Before joining ISMG, Ferguson was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.